Understanding the dynamics of cyber threats is crucial for today's digital defenses. Researchers from Nanjing University, Jiangsu University of Science and Technology, and Southeast University have discovered that optimizing the execution time of malware in sandbox environments can significantly enhance the completeness and quality of cyber threat intelligence (CTI) data.
Their findings, published on 15 April 2026 in Frontiers of Computer Science co-published by Higher Education Press and Springer Nature, offer a new empirical framework that could reshape how large-scale cybersecurity operations gather actionable intelligence.
Malware analysts have long relied on sandbox environments to observe the behaviors of suspicious programs. However, the industry-standard approach often uses fixed execution times without empirical backing, risking either premature termination of important behaviors or inefficient overlong analysis.
To address this, the research team conducted a large-scale analysis on over 110,000 malware samples, examining system calls, code execution blocks, and data entry access patterns. They modeled the intelligence acquisition process using Extreme Value Theory (EVT), a statistical method for understanding rare but critical events.
Their findings reveal that over 90% of useful intelligence is extracted within the first three minutes of execution, and the probability of acquiring new threat intelligence diminishes rapidly afterward. Specifically, after 180 seconds, the probability of observing new intelligence drops to 9.2%, and further declines to 5.6% after 10 minutes.
This groundbreaking insight offers a data-driven standard for determining optimal sandbox execution times — balancing intelligence completeness with resource efficiency — rather than relying on arbitrary preset thresholds.
Novel empirical framework: Introduced an EVT-based model to dynamically predict the likelihood of acquiring additional threat intelligence over time.
Large-scale data foundation: Analyzed execution behavior across 111,747 malware samples and mapped behavioral traces into MITRE ATT&CK TTPs.
Clear practical guidance: Recommended optimizing sandbox execution time around 3–5 minutes for intelligence extraction scenarios, minimizing resource waste without missing valuable data.
Enhanced threat detection capability: The findings provide a basis for developing adaptive sandbox platforms that intelligently adjust execution times based on real-time data evolution.
DOI:10.1007/s11704-025-50245-y